Byod and guest access workshop enabling byod carlos gomez gallego_network services team

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 1 #airheadsconf #airheadsconf

Enabling BYOD Workshop Aruba Network Services Team

March 2013

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 2 #airheadsconf

Deploying ClearPass Onboard BYOD Policy

Technology Overview Profiling BYO Devices Integrating ClearPass with MDM Onboard Provisioning

Troubleshooting Q&A

Agenda

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved 3 #airheadsconf #airheadsconf 3

Onboarding with ClearPass


•  Planning –  BYOD Policy

•  Configuring –  CA settings –  Network Settings –  Provisioning Settings –  Advanced Settings

•  Lifecycle Management –  User experience –  Lost, expired, revoked devices –  Troubleshooting

Deploying ClearPass Onboard


BYOD Policy


•  Device diversity •  Policy enforcement •  Security and compliance •  Containerization •  Inventory management •  Software distribution •  Administration and reporting •  IT service management •  Network service management

Building a BYOD Policy (Gartner)


Technology Overview


•  Detecting new BYO Devices –  Lack of Provisioned Credential –  Device Profiling –  MDM Integration

•  User Managed Provisioning Workflow –  Setup PKI for device credentials –  Provisioning Settings –  Network Settings –  Advanced Settings –  Troubleshooting

Technology Overview


BYOD Workflow

•  Supplicant Config •  Push Trusted Cert •  Enable Posture •  Set Auth type

•  Enrolment workflow •  Authorize User to provision device •  Device credential push •  Link User to Device

•  Complete view device & network

•  Command & Control •  Inventory •  Diagnostics

•  Revoke Device Access •  Device Profiling •  Role Derivation •  Corp vs Employee Liable

Device Access Controls

Join BYOD Domain

Visibility & Reporting

Onboard Device


Deployment Architecture

Devices authenticate with Unique Device Credentials

iOS

Windows

Mac OS X

Android

ClearPass Onboard

ClearPass Policy Manager

“Bring Your Own” Client Devices Network

Authentication Server

Users enroll with Onboard Workflow

Onboard Workflow

Manage Devices

Policy Definition

Administer Secure BYOD

Network Access

1

2

3

4


Detailed Architecture

Aruba Controller

Over-the-Air Provisioning

QuickConnect™ Provisioning

AP

EAP-TLS (Device Certificate)

Web Login Page

Onboard GUI

Certificates

Users

Endpoints

Users

Onboard Workflow

iOS and OSX 10.6+

Windows

Mac OS X

Android

ClearPass Onboard

ClearPass Policy

Manager

“Bring Your Own” Client Devices Network Server

EAP-TLS (Device Certificate)


Onboard Workflow – iOS & OS X

iOS Device Network

Infrastructure ClearPass Onboard


Associate, HTTP GET

Redirect Provisioning role

Request mobile device provisioning page

Download and install root certificate from portal

Login with provisioning user’s credentials

Authenticate with Active Directory Apple Over-the-Air Provisioning

Switch to EAP-TLS EAP-TLS Auth RADIUS Auth (EAP-TLS)

Access-Accept Client certificate verified

Authenticated EAP-Success

Server certificate verified

Device authenticated

Provisioning complete

Captive portal

Pre-provisioning

Provisioning

Onboard Complete


iOS “Over-the-Air Provisioning”

iOS Device Network



Start device enrollment (signed profile payload)

Request for enrollment

SCEP enrollment profile

Request device certificate using SCEP

User authenticated for device enrollment

Issue SCEP certificate for device

Request device configuration profile (signed) Install device

identity certificate

Device configuration profile (signed + encrypted)

Generate TLS certificate and payload with Onboard settings

User accepts enrollment profile

Install profile and return to Safari Refresh enrollment progress page

Switch to EAP-TLS

Apple Over-the-Air Provisioning

Provisioning Complete


Onboard Workflow – other OS’s

Android Device Network



Associate, HTTP GET

Redirect Provisioning role

Request mobile device provisioning page

Return provisioning portal page

Download Onboard configuration

QuickConnect Provisioning

Switch to PEAP PEAP-MSCHAPv2 Auth RADIUS Auth (PEAP-MSCHAPv2)

Access-Accept Verify unique device credentials

Authenticated EAP-Success

Server certificate verified

Device authenticated

Onboard Complete

Detect device type

Launch app

Provisioning complete

Device enrollment Push unique device

credentials


Onboarding Deployment Options

Aruba Controller AP

802.1x Authenticator 802.1x Authentication Server

Endpoints

Users

iPad

Android

ClearPass Policy

Manager

Client Devices Network Server

Active Directory

802.1x Supplicants

Provisioning SSID

Provisioned SSID

BYOD

Employee-Secure

•  Different SSID for Provisioning & Provisioned –  Standalone SSID –  Linked from Guest Access Portal


Onboarding Deployment Options

Aruba Controller AP

802.1x Authenticator 802.1x Authentication Server

Endpoints

Users

iPad

Android

ClearPass Policy

Manager

Client Devices Network Server

Active Directory

802.1x Supplicants

Provisioning & Provisioned SSID Employee-Secure

•  Same SSID for Provisioning & Provisioned –  Device Profiling –  Lack of provisioning credential –  MDM integration


Onboarding Workflow

1. Device type automatically detected & redirected to portal

2. Settings & credentials are auto-configured after user enters domain credentials

3. User automatically placed on proper SSID & network segment


Detecting BYO Devices


•  No longer a binary decision •  Leverage context sources to determine enforcement –  Active Directory Group Membership –  Machine authentication for domain joined devices –  Device Type / Posture of the device –  Managed by MDM / context from MDM –  Lack of provisioned credential

•  Differentiate Corporate Managed / Provisioned devices –  Enforce Machine Authentication differently –  Enforce MDM managed differently –  Enforce Onboard provisioning differently –  Redirect unmanaged / un-provisioned device to provisioning

workflow (for example – only using PEAP AD credentials)

Power of context aware policies


•  Native –  MAC OUI –  HTTP User Agent (Captive Portal Services) –  Onboard (explicit knowledge from client OS interactions) –  OnGuard (explicit knowledge from client OS interactions)

•  Network Sourced –  DHCP Option fingerprinting (DHCP relay) –  Subnet scan with SNMP profiling (CDP, LLDP, sysDescr) –  AOS Controller 6.3 export (DHCP, HTTP, mDNS)

•  Agent / Server Integration –  MS Exchange (Active-Sync device type) –  MDM Deployments

•  Fingerprints updated automatically over the net

Sources of Profile Data


Sample Profile Dashboard


Example Enforcement Policy


Service Definition workflow

Incoming Request

Service Rule: Define unique attributes contained in the Radius Request that can be used to match this Service. Consider ordering the rules to assist with the matching. This is also a place to enable different functions of CPPM that

you would like to use in the policy including Authorization, Profiler, Posture, Audit.

Authentication: Define authentication methods client will use as well as authentication sources to determine a user/devices

access rights. This can contain multiple sources based on the use case.

Authorization: Define sources that detailed information about the user or device can be pulled from. All sources added as part of Authentication will already be defined as Authorization sources. This information will be used in Role

mapping and Enforcement profiles.

Roles: Pull together attributes of the user/device/connection to define Roles that can be used to define Enforcement actions. Try to keep these simple so future modification is simple. Tip: Use Evaluate all (apply all) roles to

match multiple roles to a single connection to keep the role definitions simple.

Next Slide


Service Definition workflow

Enforcement: Based on the Roles, Posture, and other aspects of the user/devices connection, define actions that the NAS

should take. This should be set as “first applicable”, so order is important.

Posture: Define aspects of the host that should be checked during the authentication. Based on pass/fail of host check, set Posture token. It is common to bounce a session after a posture check so that Health information can be

applied to a user/device connection.

Previous Slide

Profiler: The use of profiler in a role is to bounce a session after new information is learned about a device so that

Role/Enforcement mapping can be reapplied to the user/device.

Audit: Nessus/NMAP can be run against hosts, and Roles can be applied based on the results of the scan.

Radius Respons

e

Radius CoA

Radius CoA

Radius CoA


MDM Integration


MDM

Firmware & patch

management

Remote wipe & control

Device-level

visibility

Configure network settings

Network Infrastructure Data in motion

Device Management Data at rest

Identify the user

Protect the network

Provision & revoke device

credentials

Push & provision

apps

Restrict usage &

bandwidth

NAC

Managing Mobility


Integrating Leading MDM Vendors

•  ClearPass uses public APIs for:

•  Normalize MDM endpoint data across vendors


Mutually Leverage Context

Device Policies

•  Device restrictions •  Remote Lock & Wipe •  Install Application •  Black list Apps

•  Firewall Policies •  Redirect to enroll •  Quarantine devices •  Bandwidth Prioritization

Network Policies

Exchange endpoint context & trigger

policies


ClearPass MDM Integration

Using MDM device information for Policy

ClearPass

Endpoint data replicated to

ClearPass cluster

CoA triggers network

enforcement

ClearPass

Device type & posture polled for policy

decisions & reporting MaaS360


Use MDM Attributes for Network Policy

MDM Attributes

Post

ure

Manufacturer: Apple Model: iPad2 OS Version: iOS 6.1 UDID 1730235f564094186 Serial Number 79049XXXA4S IMEI 012416009780168 Phone Number 408-534-2819 Carrier Verizon MDM Id 130d0f992t34 Owner jhoward Display Name John Howard Ownership Employee Liable

MDM Enabled Yes Compromised Not Jailbroken Encryption Enabled Yes Blacklisted Apps No Required Apps Yes Last Check in 01/30/2012 9:03am

Inve

ntor

y


Setting Network Policy

Policy Example

Use context from ClearPass + MDM to set network policy

• Application installed

• blacklisted

• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption

• Location • Trusted or

untrusted network

• Time/Date • eg. in semester

• User/group membership

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 32

Integrated User Onboarding

Provisioning Workflow

Detect un-enrolled device connected to the network

Redirect to MDM self-service portal or Prompt user to download MDM agent

Host MDM application, from network captive portal

Install MDM agent on my device


Onboard Setup


•  TLS client certificate provisioned per device •  Onboard using built in CA –  Act as standalone Root CA –  Integrate with existing PKI as Intermediate CA –  SCEP Proxy options coming soon

•  Certificates replicated throughout cluster –  Onboard proxied to publisher node (http proxy) –  Proxy process transparent to client device –  Client certificates available on replicated to subscribers

•  OSCP Responder available from subscribers –  Locally check for revocation of client certificates –  OSCP configured to override to localhost

Certificate Authority Setup


Configuring Onboard - Walkthrough

CPPM Demo Server


Troubleshooting


Managing client certificates

•  Revoke/Delete client certificates •  Quick search to find specific users/devices


Apple Captive Network Assistant

Aruba Mobility

Controller

ClearPass Guest

Open SSID for Guest Access

WiFi Clients

/Aruba_Login.php

CP Guest Hosted Captive Portal Pages

External Captive Portal Redirect

/landing.php

CP Guest CP Guest

Apple Captive Network Assistant Request

User Web Browser initial request

aaa authentication captive-portal "guestnet” login-page http://10.169.130.50/landing.php/Aruba_Login.php

10.169.130.50


Invalid Profile when Onboarding

•  iOS expects to trust the web server hosting the profiles being pushed

•  Multiple options to resolve –  Use HTTP if using L2 WiFi encryption –  Install publically signed web server cert –  Sign web server cert from Onboard CA

•  Its all about iOS server trust


Q&A


The Airheads Challenge Use Unlock Code “ONBOARD” To get the quiz for this session

Login to play at community.arubanetworks.com


Thank You

Byod and guest access workshop enabling byod carlos gomez gallego_network services team

Technology

Transcript of Byod and guest access workshop enabling byod carlos gomez gallego_network services team